Accepted Solutions
NSX Security Administrator role may configure firewall related configurations, as to which Security group to put a VM with a certain tag, but in order to give Change Tag permission to a group, Add Permissions for Tags and Tag Categories may be helpful:
Add Permissions for Tags and Tag Categories
You can manage the user privileges for working with tags and categories. The procedure for assigning permission to tags is the same as the procedure for tag categories.
About this task
Permissions for tags work the same way as permissions set for vCenter Server inventory objects. To learn about permissions and roles, see vSphere Security .
You can set permissions on common tag operations to manage the operations over the inventory objects. You must have vSphere administrator credentials to set and manage permissions for tags and organize user's activities. When you create a tag, you can specify which users and groups can operate with that tag. For example, you can grant administrative rights only to administrators and set read-only permissions for all other users or groups.
Prerequisites
Grant the privilege.InventoryService.Tagging.label privilege to users that administer tags and tag categories
Procedure
- Log in to vSphere Web Client with administrator credentials.
- From the vSphere Web Client Home, click Tags & Custom Attributes.
- Click the Tags tab.
- Select a tag from the list, right-click the tag, and select Add Permission.You see a list with all default permissions for the selected tag.
- Click the
icon to add a permission to the existing list.The Add permission dialog box appears. - In the Users and Groups pane, click Add, select all the users and groups you want to add, and click OK.
- (Optional) : Select a user or a group from the list and select a role from the Assigned Role list.
- (Optional) : Select Propagate to children to propagate the privileges to the children of the assigned inventory object.
- Click OK to save the new tag permission.
NSX Security Administrator role may configure firewall related configurations, as to which Security group to put a VM with a certain tag, but in order to give Change Tag permission to a group, Add Permissions for Tags and Tag Categories may be helpful:
Add Permissions for Tags and Tag Categories
You can manage the user privileges for working with tags and categories. The procedure for assigning permission to tags is the same as the procedure for tag categories.
About this task
Permissions for tags work the same way as permissions set for vCenter Server inventory objects. To learn about permissions and roles, see vSphere Security .
You can set permissions on common tag operations to manage the operations over the inventory objects. You must have vSphere administrator credentials to set and manage permissions for tags and organize user's activities. When you create a tag, you can specify which users and groups can operate with that tag. For example, you can grant administrative rights only to administrators and set read-only permissions for all other users or groups.
Prerequisites
Grant the privilege.InventoryService.Tagging.label privilege to users that administer tags and tag categories
Procedure
- Log in to vSphere Web Client with administrator credentials.
- From the vSphere Web Client Home, click Tags & Custom Attributes.
- Click the Tags tab.
- Select a tag from the list, right-click the tag, and select Add Permission.You see a list with all default permissions for the selected tag.
- Click the icon to add a permission to the existing list.The Add permission dialog box appears.
- In the Users and Groups pane, click Add, select all the users and groups you want to add, and click OK.
- (Optional) : Select a user or a group from the list and select a role from the Assigned Role list.
- (Optional) : Select Propagate to children to propagate the privileges to the children of the assigned inventory object.
- Click OK to save the new tag permission.
If understood correctly, a user or a group of users need to have Tagging Privileges on group of VMs. Then could putting the VMs into folders as UserA_Folder, or GroupB_Folder as in the following link a solution:
vSphere Tagging Privileges
vSphere Tagging privileges control the ability to create and delete tags and tag categories, and assign and remove tags on vCenter Server inventory objects.
You can set this privilege at different levels in the hierarchy. For example, if you set a privilege at the folder level, you can propagate the privilege to one or more objects within the folder. The object listed in the Required On column must have the privilege set, either directly or inherited.
Privilege Name | Description | Required On |
|---|---|---|
Allows assignment or unassignment of a tag for an object in the vCenter Server inventory. | Any object |
https://www.altaro.com/vmware/using-permissions-to-secure-vcenter-server/
Let’s imagine a scenario where User A is tasked to manage a set of virtual machines. The only privileges you wish to grant User A are those that would allow him or her to perform basic tasks such as powering on or rebooting a virtual machine. As it happens, User A has already has an Active Directory account issued in his name so it’s just a matter of assigning permissions on vSphere objects using this same account. For better management, the vms User A will be responsible for, have been moved to a folder ingeniously named “Folder for User A” as shown in Figure 11. Note that I’m logged on with an administrative account.
https://www.vladan.fr/vcp6-dcv-objective-1-1-configure-and-administer-role-based-access-control/
Identify common vCenter Server privileges and roles
There are roles and privileges. Role is a collection of privileges assigned to group or a user.
